Many companies, military- and governmental-networks have banned social networking sites like Facebook, Twitter, MySpace &Co from their networks. For instance in August 2009 the U.S. Marine corps just banned Social Networking Sites (SNS) from their classified network (called MARINE CORPS ENTERPRISE NETWORK – MCEN):

2. BACKGROUND. INTERNET SNS ARE DEFINED AS WEB-BASED SERVICES THAT ALLOW COMMUNITIES OF PEOPLE TO SHARE COMMON INTERESTS AND/OR EXPERIENCES (EXISTING OUTSIDE OF DOD NETWORKS) OR FOR THOSE WHO WANT TO EXPLORE INTERESTS AND BACKGROUND DIFFERENT FROM THEIR OWN. THESE INTERNET SITES IN GENERAL ARE A PROVEN HAVEN FOR MALICIOUS ACTORS AND CONTENT AND ARE PARTICULARLY HIGH RISK DUE TO INFORMATION EXPOSURE, USER GENERATED CONTENT AND TARGETING BY ADVERSARIES. THE VERY NATURE OF SNS CREATES A LARGER ATTACK AND EXPLOITATION WINDOW, EXPOSES UNNECESSARY INFORMATION TO ADVERSARIES AND PROVIDES AN EASY CONDUIT FOR INFORMATION LEAKAGE THAT PUTS OPSEC, COMSEC, PERSONNEL AND THE MCEN AT AN ELEVATED RISK OF COMPROMISE. EXAMPLES OF INTERNET SNS SITES INCLUDE FACEBOOK, MYSPACE, AND TWITTER.

3. ACTIONS. TO MEET THE REQUIREMENTS OF REF A, ACCESS IS HEREBY PROHIBITED TO INTERNET SNS FROM THE MCEN NIPRNET, INCLUDING OVER VIRTUAL PRIVATE NETWORK (VPN) CONNECTIONS.
[…]

Of course USMC is not the only organistion who banned Social Networking Sites from their network – there are many other companies and governments out there which followed the ban at the USMC and started banning Social Networking Sites as well. The two most often claimed reasons for such bans are commonly:

Security issues while using Social Networking Sites (privacy, mal- and crimeware, targeted attacks, leak of information on classified networks)

Performance problems/bottlenecks while using Social Networking Sites (direct impact on business/enterprise operations)

I don’t wan’t to talk with you about the sense of banning Social Networking Sites, but please let me loose a few words about it:

Often there are (legal and comprehensible) reasons to ban SNS from coperate- an governmental networks. But the problem is that often the responsible persons and/or administrators who decided to ban SNS don’t know the consequences that such a ban can trigger. Let me ask you: Do you really think that users will accept a ban of their *most-favorite-websites*? Of course most of the user won’t, so they will start trying digging holes in your coperate firewall and webproxies/gateways. The point I would like to outline in this post are the consequences you will trigger when banning social networks as well as the risks/threats which result out of this.

As said before, most user won’t accept a ban of SNS (and please belive me: that’s fact ;)). The first thing they will do after your ban becomes active is googling about by-passing your security infrastructure. The first thing your users will come accross are PHP-based web proxy scripts. One of the most popular PHP-based proxy script is called Glype: It’s a tiny, powerful and fast web proxy which is based on PHP. You just have to download the ZIP file, upload the “upload” folder to a webspace and start using your brand new webproxy. But WOW – hey, you even don’t have to install your own web proxy, you just can use sites like proxy[dot]org and get a fresh list of 5’000+ working web proxies!

What sounds like honey being poured down their back to your users is purly pain for the administrators and security folks of companies and governmental organizations: Within a few minutes users will be able to bypass security gateways easily. But let’t talk about the security risks of such Anonymous web proxies.

*** The bad things you don’t know about such proxies ***
Unfortunately the other site of the coin looks much worse:

You don’t know who run these proxies

You don’t know if these proxies are secure and clean from any malware and drive-bys

You don’t know the intentions of the persons who runs these proxies (maybe they have mean ill?)

But you have must be aware of one fact: Those proxies aren’t anonymous! Web Proxy scripts like Glype&Co have a free configurable option wheter the administrator of the (glype-) proxy wants to log the requests which are passing his proxy or not. And you can be sure that the most Glype administrators will do.

*** The facts ***
Fact is that there are a lot of insecure servers out there running Glype: I was able to retrive the logs of several Glype proxies – and the results are really interesting. Some statistical information first:

I took a few hours to analyse the logfiles. The result of my analysis didn’t suprised me much (Top countries by unqiue IPs):

Most of the top countries shown above are explainable like China (for building a great firewall around its internet users), Turkey (for banning most favorite websites like Facebook, MySpace, WordPress and Blogspot) and Germany (for the planed Data Retention Law).

Let’s take a deeper look at the origin IP addresses which are using such Glype proxies. A huge part of the Glype users are users from:

Educational networks like schools and univiersities (trying to break the blockade of Facebook&Co on Edu-Networks)

Home users from DSL- and dialup accounts (trying to bypass the internet censoreship of their ISPs/country)

Beside those (mostly) legitimate traffic (generaly I don’t support internet censorship in any country – so in my opinion this is some kind of legitimate traffic), there is a lot of noise coming from governmental and military networks around the world. I wont name any countries, but you can be sure that dozens of countries are affected. Some of the affected departments and ministries are listed below (I have translated the most of them from other languages, so don’t assume all of them belongs to the US – they don’t):

Ministry of Foreign Affairs

Ministry of Finance

Ministry of Economy

Ministry of Statistics

Ministry of Administration and Interior

Ministry of Industry

Ministry of Interior and Justice

Ministry of Labour and Social Policy

Ministry of Social Development

Department of Defense

Department of Atomic Energy

Department of Health

Department of Science and Technology

Department of Home Affairs

Department of Water Affairs and Forestry

Department of Environment and Conservation

National Labratory

National Police Service

Residence of the President

Atomic Energy Comission

Centre for Atomic Research

State police

National Telecommunications Commission

Supervision and Administration Commission

State-owned news agency

Various Military Test- and Command Centres around the globe

Various networks which are just named as “Government of xxxx”

Let’s have a look at the Top websites accessed by those Glype proxies:

# of hits

Domain

Descripton

6’799’818

www.aisex.com

Chinese porn site

5’195’698

www.facebook.com

Facebook (incl. fbcn.net)

1’019’967

doubleclick.net

Advertising

629’881

www.t66y.com

Chinese porn site

619’020

change.menelgame.pl

Online game

582’162

whitepages.com.au

Australian Address / Telephone directory

565’832

www.wretch.cc

Chinese Social Network / News site

489’843

www.manyway.net

Advertising

477’499

www.youtube.com

Youtube

473’341

www.google-analytics.com

Tracker / Webstatistics

363’371

www.xvideos.com

Porn site

348’057

notification.pennergame.de

Online game

318’106

www.pidown.com

Free file hosting (missused for Torrents)

297’981

www.highba.com

Chines porn site

295’866

www.google.com

Google

267’695

www.palacemoon.com

Chinese porn site

266’117

i1.hk

Unknown

265’410

www.divshare.com

File sharing / Webdriver (supported by Amnesty International)

259’349

www.mycould.com

Chinese Forum

255’328

www.jword.jp

Unknown

229’032

www.denic.de

German domain registrar (whois missuse)

198’225

www.139flash.com

Online games

As we know most users of these Glype proxies are located in China. But for those of you who thought that the chinese users are searching for “free speach” and “tibet” – I have to disappoint you: The chinese folks seems not to be different than the folks from the west. So don’t be suprised that the top website is a chinese porn site (you didn’t know? China also blocks access to various porn sites).

*** Glype proxies as security risk ***
As I already pointed out I don’t see a problem in users bypassing internet censorship per se. They just have to know that they don’t really surf anonymously when they use such script based proxies (like Glype) and that those logfiles are propably accessible by anyone from anywhere.

But such proxies are becoming a problem as soon as they are used by employees of governmental and military organistaions (like shown above): These proxies could be a great resource for terroristic organization and foreign intelligence services! Many of the governmental traces I’ve seen are on facebook – so I was able to catch the names of employees of various governmental and military organizations. To show you the threat of such ‘information’ I will make real example which I saw in those logfiles.

You might have noticed that I mentioned Ministry of Foreign Affairs before (of a country which I won’t name here). While checking the logs I just came across a user who surfed on Facebook. The Logfiles provides a link to a profile of a employee of the Ministry of Foreign Affairs. When I checked the profile, I just noticed that this user is obviously a employee of the Security Service at the Ministry of Foreign Affairs. In fact, this person is now a high value target for terroristic organization and foreign intelligence services who are now able to get personal information about this person easily. This allows them to apply pressure and blackmail the person in order to gain access to classified information and documents.

*** Conclusion ***
My research on these Glype proxies allow me to make the following conclusions:

Glype- (and other script based proxies) aren’t really anonymous

You don’t know who runs these proxies

Most users for those proxies just want to bypass internet censoreship of their country or schools/universities

But there are many users from governmental and military organizations using those proxies too

In those cases you may be able to hide your web traffic from your administrator but you will leave traces in other places which are probably a threat of your whole company!

Administrators and security folks have to know about these risks and have to adopt compensating measures and/or providing awareness to its users

If you run such a Glype proxy you have to know that you will propably be responsible for any illegal activites which are passing your proxy. Are you sure that your Glype proxy is not being abuse to access ilegal content like Childporn?

4 Responses to “When You Think You Surf Anonymously But You Don’t”

Thank you for this interesting report. i think there are better solutions than blocking social network sites…. how you said: they will look for another way to visit the website… and in most cases they find a more dangerous way. i prefer to not block sites (except illegal stuff, child-porn, etc of course) but to inform users about the company internet-usage-policies. An other solution can be to decrease the bandwidth for those sites to ensure that business-operations are not handicapped.

btw: i already saw some “power-users” building a private tunnel to their home-pc to be free for all sites and ports… there is always a way out as long as only one outgoing port is available.